FAQs: EU residents and the General Data Protection Regulation (GDPR)

May 29, 2018 11:52

Updated

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects* in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

(*in the case of Network for Good customers an EU data subject could mean a donor who is an EU resident or someone who subscribed to your email list by donating, who is an EU resident.)

How does the GDPR impact Network for Good and my software subscription?

While Network for Good does not have any physical existence in the EU, we recognize that some of our customers might be directly affected by the GDPR if they receive donations from EU residents or EU residents have subscribed to their email list. Therefore, we are taking all the necessary steps to comply with the GDPR requirements that would apply to us by implementing specific legal, technical, and organizational measures. An updated version of our Privacy Policy, with information regarding GDPR, can be found on our website. If you need help in supporting EU resident’s rights to access, update, or delete their personal information, please contact our customer support team with requests.

Can I continue using Network for Good and be sure that I’m in compliance with GDPR requirements?

Yes! We have taken all the necessary steps for Network for Good to be in compliance with the requirements of GDPR. Talk to your legal counsel to evaluate your individual organizational processes and understand what you may need to do to ensure full compliance at your nonprofit.

How can I make sure my organization is in compliance with GDPR?

As a customer of Network for Good, you should make sure that you have a lawful basis for collecting personal information from EU residents. You are also responsible for properly handling and processing notices sent to you (or any of your agents or affiliates) by any person claiming that you have violated such person’s rights, including “requests to be forgotten” according to GDPR. Please seek legal counsel for additional GDPR requirements that are applicable to you.

What is personal data?

Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as - name, email address or location, and also online identifiers like IP address, types of website cookies, and other device identifiers.

Who are data controllers, processors, and sub-processors?

A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident.

A data processor is responsible for processing personal data on behalf of a controller.

Sub-processor refers to another processor engaged by the data processor to carry out specific processing activities on behalf of the controller.

Does GDPR apply to territories outside the EU?

GDPR can apply any time to personally identifiable information of any EU resident that is stored and/or processed. It does not depend on the physical location/territory. Also, establishments located in the EU are subject to GDPR regardless of where personal data comes from.

How do I handle user data deletion requests from EU residents?

If your users (donors, email list subscribers) ask you to delete their personal data, please reach out to us and we will remove their data individually. If you’ve passed any of your users’ data to any 3rd party services (Quickbooks, another donor database or email system), you are responsible for ensuring that the user’s data is deleted from those services as well.

How do I establish lawful basis for collecting and processing personal data?

There are six lawful bases for processing personal data. For details on how to establish your lawful basis, please refer to guides provided by ICO.